b"                            OFFICE OF\n                     THE INSPECTOR GENERAL\n\n\n                         U.S. NUCLEAR\n                    REGULATORY COMMISSION\n\n\n\n                        Use of the Internet at NRC\n\n                    OIG-02-A-01        October 15, 2001\n\n\n\n\n                       AUDIT REPORT\n\n\n\n\nAll publicly available OIG reports (including this report) are accessible through\n                              NRC\xe2\x80\x99s website at:\n                   http://www.nrc.gov/NRC/OIG/index.html\n\x0c                                              October 15, 2001\n\n\n\n\nMEMORANDUM TO:                 William D. Travers\n                               Executive Director for Operations\n\n\n\nFROM:                          Stephen D. Dingbaum\\RA\\\n                               Assistant Inspector General for Audits\n\n\nSUBJECT:                       USE OF THE INTERNET AT NRC (OIG-02-A-01)\n\n\nAttached is the Office of the Inspector General\xe2\x80\x99s audit report titled, Use of the Internet at NRC.\n\nThis report reflects the results of our review to determine whether NRC employees\xe2\x80\x99 use of the\nInternet is appropriate, and in compliance with NRC policy. Based on Internet activity over an\neight day period in June 2001, at least 52 percent, and as much as 79 percent of employee\nInternet activity was for personal use. Some personal use, such as looking at sexually explicit\nweb sites, was in direct violation of NRC policy. Personal use can also slow information\ntransfer from the Internet, affecting the ability of others to use the Internet for business reasons.\nBecause of the amount of personal use and the occurrence of prohibited activity, NRC needs to\nenforce its May 2001 information technology policy covering personal Internet usage.\n\nAt an exit conference held on October 3, 2001, NRC officials generally agreed with the report\xe2\x80\x99s\nfindings and recommendations. While agency officials chose not to provide a formal, written\nresponse for inclusion in the report, they did provide editorial suggestions, which have been\nincorporated where appropriate.\n\nIf you have any questions, please contact Corenthis Kelley at 415-5977 or me at 415-5915.\n\nAttachment: As stated\n\ncc:     John Craig, OEDO\n\x0cR. McOsker, OCM/RAM\nB. Torres, ACMUI\nB. Garrick, ACNW\nD. Powers, ACRS\nJ. Larkins, ACRS/ACNW\nP. Bollwerk III, ASLBP\nK. Cyr, OGC\nJ. Cordes, OCAA\nS. Reiter, CIO\nJ. Funches, CFO\nP. Rabideau, Deputy CFO\nJ. Dunn Lee, OIP\nD. Rathbun, OCA\nW. Beecher, OPA\nA. Vietti-Cook, SECY\nW. Kane, DEDR/OEDO\nC. Paperiello, DEDMRS/OEDO\nP. Norry, DEDM/OEDO\nM. Springer, ADM\nR. Borchardt, NRR\nG. Caputo, OI\nP. Bird, HR\nI. Little, SBCR\nM. Virgilio, NMSS\nS. Collins, NRR\nA. Thadani, RES\nP. Lohaus, OSP\nF. Congel, OE\nM. Federline, NMSS\nR. Zimmerman, RES\nJ. Johnson, NRR\nH. Miller, RI\nL. Reyes, RII\nJ. Dyer, RIII\nE. Merschoff, RIV\nOPA-RI\nOPA-RII\nOPA-RIII\nOPA-RIV\n\x0c                                                                       Use of the Internet at NRC\n\n\nEXECUTIVE SUMMARY\n\n    BACKGROUND\n          The Internet provides computer access to an ever-expanding storehouse of\n          electronic information through the mass connection of networked computers.\n          Use of the Internet offers tremendous capabilities to employees in terms of\n          access to a wide variety of information sources relevant to their official duties.\n          However, along with tremendous advantages, the Internet provides access to a\n          wide variety of information that may not be consistent with business needs and\n          may be harmful or inappropriate for the work place.\n\n    PURPOSE\n\n          The Office of the Inspector General conducted this review to determine whether\n          Nuclear Regulatory Commission (NRC) employees\xe2\x80\x99 use of the Internet is\n          appropriate and in compliance with NRC policy.\n\n    RESULTS IN BRIEF\n\n          Based on Internet activity over an eight-day period in June 2001, at least 52\n          percent and as much as 79 percent of employee Internet activity was for\n          personal use. Some personal use, such as looking at sexually explicit web sites,\n          was in direct violation of NRC policy. Visits to sexually explicit web sites are\n          significant because the sites\xe2\x80\x99 contents may be offensive to others and could\n          foster a hostile work environment, leading to potential legal liabilities for the\n          agency. Personal use can also slow information transfer from the Internet,\n          affecting the ability of others to use the Internet for business purposes.\n          Because of the amount of personal use and the occurrence of prohibited activity,\n          NRC needs to enforce and clarify its May 2001 information technology policy\n          covering personal Internet usage.\n\n    RECOMMENDATIONS\n\n          This report makes five recommendations to the Executive Director for\n          Operations to develop, issue, and communicate a revised Internet usage policy\n          and to restrict prohibited use. Recommendations can be found at page 11 of this\n          report.\n\n    AGENCY COMMENTS\n\n          At an exit conference held on October 3, 2001, NRC officials generally agreed\n          with the report\xe2\x80\x99s findings and recommendations. While agency officials chose\n          not to provide a formal, written response for inclusion in the report, they did\n          provide editorial suggestions, which have been incorporated where appropriate.\n\n\n\n\n                                            i\n\x0c                                   Use of the Internet at NRC\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n               ii\n\x0c                                                                                          Use of the Internet at NRC\n\n\nTABLE OF CONTENTS\n\n        EXECUTIVE SUMMARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i\n        I        BACKGROUND . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1\n        II       PURPOSE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2\n        III      FINDING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2\n                           NRC NEEDS TO ENSURE COMPLIANCE W ITH ITS\n                            INTERNET USAGE POLICY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2\n        IV       SUMMARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10\n        V        RECOMMENDATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11\n        VI       AGENCY COMMENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11\n\n\n        APPENDICES\n        A.       SCOPE AND METHODOLOGY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13\n        B.       AGENCY DIAGRAM OF NRC\xe2\x80\x99S FIREWALL . . . . . . . . . . . . . . . . . . . . 15\n\n\n\n\n                                                    iii\n\x0c                                   Use of the Internet at NRC\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n              iv\n\x0c                                                                       Use of the Internet at NRC\n\n\nI. BACKGROUND\n\n        In today\xe2\x80\x99s workplace, more and more companies are depending on the Internet\n        to provide or enhance communication. While the Internet is fast and\n        inexpensive, Internet usage can pose significant risks if it is not managed or is\n        abused.\n\n        The various forms of Internet activity have become ingrained in most corporate\n        cultures. Today, the Internet is used by roughly 90 million business workers in\n        the United States (U.S.) (about two-thirds of all workers) and about 120 million\n        workers outside the U.S. E-mail has replaced the telephone as the primary and\n        preferred method of business communication for those with Internet access.\n\n        The Internet provides computer access to an ever-expanding storehouse of\n        electronic information through the mass connection of networked computers.\n        Use of the Internet offers tremendous capabilities to employees in terms of\n        access to a wide variety of information sources relevant to their official duties.\n        However, along with tremendous advantages, the Internet provides access to a\n        wide variety of information that may not be consistent with business needs and\n        may be harmful or inappropriate for the work place. Abuse, misuse, and overuse\n        by employees can:\n\n        +      in egregious cases, leave employers vulnerable to lawsuits (downloading\n               of sexually explicit material has been viewed as creating a hostile work\n               environment);\n,\n        +      introduce various security issues, such as the release of confidential,\n               proprietary, or otherwise sensitive information, or a download of\n               unlicenced software or viruses;\n\n        +      cause a decline in employee productivity; and\n\n        +      strain network resources.\n\n        To counter these risks, organizations can approach the issue from both\n        behavioral and technological standpoints. Implementing a comprehensive\n        Internet usage policy addresses the behavioral issues. Such a policy codifies\n        usage guidelines and directives, designed to inform and educate employees\n        about proper practices with regard to Internet activity. Organizations must also\n        adopt technical measures, including:\n\n        +      tools to monitor Internet activity to enforce policy and identify offenders;\n\n        +      antivirus utilities to protect against malicious code at all potential points of\n               infection;\n\n        +      secure e-mail solutions to protect information traveling across the\n               Internet; and\n\n\n                                          1\n\x0c                                                                               Use of the Internet at NRC\n\n\n\n           +       archiving utilities and storage systems to ensure that messages are\n                   deleted or retained as appropriate.\n\n           A recent American Management Association survey found that more than three-\n           quarters of major U.S. firms (77.7 percent) record and review employee\n           communications and activities on the job, including Internet use. This figure has\n           doubled since 1997. These firms monitor activity for a variety of reasons\n           including (1) legal compliance, (2) legal liability, (3) performance review, (4)\n           productivity measures, and (5) security concerns.\n\n\nII. PURPOSE\n\n           The Office of the Inspector General (OIG) conducted this review to determine\n           whether Nuclear Regulatory Commission (NRC) employees\xe2\x80\x99 use of the Internet\n           is in compliance with policy. Appendix A provides details of the scope and\n           methodology of this review.\n\n\nIII. FINDING\n\n     NRC NEEDS TO ENSURE COMPLIANCE WITH ITS INTERNET USAGE POLICY\n\n           Based on Internet activity from June 1- 8, 2001, at least 52 percent and as much\n           as 79 percent of employee Internet activity is for personal use. Some personal\n           use, such as looking at sexually explicit web sites, was in direct violation of NRC\n           policy. Personal use can also slow information transfer from the Internet,\n           affecting the ability of others to use the Internet for business purposes.\n           Because of the amount of personal use and the occurrences of prohibited use,\n           NRC needs to enforce its policy for personal Internet usage.\n\n           Employee Use of the Internet Is Mostly for Personal Reasons\n\n           The Federal Chief Information Officer Council issued Government-wide policy\n           guidance on Internet usage in May 1999.(1) NRC\xe2\x80\x99s revised information\n           technology policy, including Internet use, issued in May 2001,(2) closely follows\n           this guidance. Under NRC\xe2\x80\x99s policy, personal Internet use is acceptable when it\n           involves minimal or no additional expense to the Government, is performed on\n           the employee\xe2\x80\x99s non-work time, does not interfere with NRC\xe2\x80\x99s mission or\n           operation, does not violate the Standards of Ethical Conduct for Employees of\n\n\n     1\n           Recommended Executive Branch Model Policy/Guidance on Limited Personal Use of Government\n           Office Equipment Including Information Technology, Federal Chief Information Officer Council,\n           May 28, 1999.\n     2\n           NRC Management Directive 2.7, Personal Use of Information Technology, dated May 9, 2001.\n\n                                                2\n\x0c                                                                                Use of the Internet at NRC\n\n    the Executive Branch regulations, and is not otherwise prohibited by law. Prior to\n    the May 2001 information technology policy, NRC restricted employees\xe2\x80\x99 use of\n    the Internet to business only.\n\n    NRC maintains an Internet connection through an Internet service provider to\n    serve the needs of its employees. Employee computers connected to an NRC\n    network are always connected to the Internet. NRC then provides a single\n    control point for all employee Internet use: a proxy server that is part of NRC\xe2\x80\x99s\n    firewall system. All information from Internet sites accessed by NRC employees\n    comes through the proxy server before being delivered to individual computers.\n    Appendix B provides a diagram of NRC\xe2\x80\x99s firewall system. NRC\xe2\x80\x99s firewall system\n    creates a log reflecting all of the Internet activity of employees. The log also\n    records a number of pieces of information related to each Internet access.\n\n    OIG reviewed employee(3) Internet use over an eight-day period in June 2001, a\n    period shortly following issuance of NRC\xe2\x80\x99s revised policy. To analyze employee\n    use of the Internet, OIG used data from NRC\xe2\x80\x99s firewall log that provided the\n    amount of information transferred(4) through the proxy server. Internet activity\n    was categorized as business or personal or other based on the material at the\n    web site. In addition, some sites could have been used for either business or\n    personal reasons (Mixed Use in this report). Examples are news sites and\n    search engines.\n\n    The Office of the Chief Information Officer (OCIO) also routes a significant\n    amount of information through the proxy server in monitoring network conditions\n    throughout NRC\xe2\x80\x99s local and wide-area networks. And eight percent of the\n    activity is the result of advertising and other unrelated images that are displayed\n    when viewing web pages. The following chart shows a breakdown of Internet\n    use at NRC.(5)\n\n\n\n\n3\n    Employee use includes use of the Internet by NRC contractors. Contractors are not specifically\n    covered by NRC\xe2\x80\x99s Internet usage policy.\n4\n    This information transfer is referred to in this report as activity and indicates the actual number of\n    bytes of information that were transferred to an employee\xe2\x80\x99s computer through the proxy server.\n    Activity reflects the actual burden of Internet use on NRC\xe2\x80\x99s systems.\n5\n    Results discussed in this report are based on analysis of a sample representing about 75 percent\n    of all Internet activity.\n\n\n                                             3\n\x0c                                                                            Use of the Internet at NRC\n\n\n\n\n                                Breakdown of Internet Usage\n\n\n\n\n                        Mixed Use\n                           16%                                              OCIO Use\n              Ads/Images\n                                                                              34%\n                  8%\n\n\n\n\n                         Personal                                   Business\n                           30%                                        12%\n\n\n\n\n    As the chart indicates, the two largest users of NRC\xe2\x80\x99s Internet system are OCIO,\n    to monitor the status of its networks(6), and employees for personal reasons. The\n    advertising and images loaded with Web pages are a large percentage of the\n    activity coming through NRC\xe2\x80\x99s Internet connection.\n\n\n\n\n6\n    OIG informed OCIO of these results and OCIO is currently evaluating how it can reroute this traffic\n    to reduce the burden on the proxy server.\n\n\n\n                                            4\n\x0c                                                          Use of the Internet at NRC\n\n\n\nTo obtain statistics solely on employee Internet usage, OIG eliminated the OCIO\nmonitoring activity and Ads/Images from the analysis. Activity in those\ncategories does not reflect the nature of sites accessed by employees. The\nfollowing chart then shows how employees are using the Internet.\n\n\n\n\n                Breakdown of Employee Use\n\n\n\n            Mixed Use                                Business\n               27%                                     21%\n\n\n\n\n                                          Personal\n                                           52%\n\n\n\n\n                                5\n\x0c                                                                          Use of the Internet at NRC\n\n\n\n    The Mixed Use category shown in the previous chart is dominated by employees\n    accessing sites providing local and national news such as the Washington Post,\n    CNN, and USA Today. Those sites were not placed in either the business or\n    personal use category because OIG found no completely sound basis for doing\n    so.(7) Such sites could be potentially used for either business or personal\n    reasons. While OIG did not categorize these sites, the following chart provides\n    the reader the results of allocating different percentages of Mixed Use activity to\n    business or personal use. If the Mixed Use activity is eliminated, the ratio of\n    business to personal activity is 27 percent to 73 percent. Allocating Mixed Use in\n    this same ratio then results in no effect. As shown in this chart, at least 52\n    percent and as much as 79 percent of employee Internet activity was for\n    personal use.\n\n\n\n\n             Alternative Allocations of Mixed Use\n                        80                  79\n                                      66 73\n                        60     52\n                              48\n                        40\n                                 34\n                        20                27\n                                                 21                   Resulting Total Business Use\n                         0                                            Percent\n                             100/0 50/50                              Resulting Total Personal Use\n                                         27/73 0/100                  Percent\n\n                         Possible\n                  Business/Personal Ratio\n\n\n\n\n7\n    The information viewed by employees at each news and search engine site can be specifically\n    determined and the activity categorized as business or personal. However, that requires\n    examining tens or hundreds of thousands of web pages and was beyond OIG\xe2\x80\x99s resource\n    capabilities.\n\n                                          6\n\x0c                                                                             Use of the Internet at NRC\n\n\n\n\n                                     Breakdown of Personal Use\n\n\n\n\n                                       Sexually Explicit\n                           Relationships                          Shopping\n                                             5%\n                        Sports  7%                                  18%\n                         10%\n\n\n\n              Entertainment                                                   Financial\n                  11%                                                           17%\n\n                      Web-based Email                         Misc\n                           16%                                16%\n\n\n\n\n    A further breakdown of the 52 percent of Internet activity categorized above as\n    personal use is shown in the above chart. As shown, employees accessed a\n    wide variety of sites. In addition, a significant number of individuals, including\n    contractors, abused the May 2001 usage policy. For example, more than 25\n    individuals used NRC\xe2\x80\x99s Internet connection and Government computers to\n    access sexually explicit web sites.(8) In addition, a number of individuals\n    accessed other sites potentially in violation of NRC policy, including gambling\n    and hate sites. Visits to these types of web sites are significant because the\n    sites\xe2\x80\x99 contents may be offensive to others and could foster a hostile work\n    environment, leading to potential legal liabilities for the agency. Additionally, the\n    risk of liability could increase without active enforcement of the agency\xe2\x80\x99s policy.\n\n\n\n\n8\n    Based on the first week\xe2\x80\x99s results, review of prohibited activity was expanded to include information\n    from May 21 through June 8, 2001. This prohibited activity was referred to OIG\xe2\x80\x99s investigative staff.\n\n                                               7\n\x0c                                                              Use of the Internet at NRC\n\nThe following chart provides a breakdown of business use. OIG considered all\ntravel and weather, and all IT sites as business.\n\n\n\n                Breakdown of Business Use\n\n\n\n                             Misc\n                             9%\n                                                            U.S. Gov't\n                                                              42%\n          Travel &\n          Weather\n            35%\n                                     IT Sites\n                                       14%\n\n\n\n\nThe following table shows the ten sites with the most activity accessed for either\nbusiness, personal, or a combination of personal and business reasons.\n\n\n      Internet Address                          Use              Category\n    1 www.washingtonpost.com                    Mixed Use        news\n    2 www.cnn.com                               Mixed Use        news\n    3 home.netscape.com                         Mixed Use        news\n    4 www.sportingnews.com                      Personal         sports\n    5 aolmail.aol.com                           Personal         web-based e-mail\n    6 www.geocities.com                         Mixed Use        news\n    7 www.usatoday.com                          Mixed Use        news\n    8 trading.etrade.com                        Personal         financial\n    9 Members.BlackPlanet.com                   Personal         relationships\n  10 www.ebay.com                               Personal         shopping\n\nPersonal use can also affect system performance because, if substantial, it can\nconsiderably slow information transfer from the Internet, affecting the ability of\nothers to use the Internet for business purposes. An agency official stated that\n\n                                 8\n\x0c                                                                                Use of the Internet at NRC\n\n\n\n     an increase in Internet transactions put a significant load on the current Internet\n     equipment and resulted in Internet access problems agencywide.(9) The official\n     told OIG that the problem would, hopefully, be addressed by a contractor in the\n     next fiscal year.\n\n              Additional Concerns\n\n     NRC does not monitor Internet usage and does not screen for all potentially\n     harmful activity.(10) As a result, in addition to being able to access prohibited\n     material, employees are able to download files from the Internet that NRC does\n     not allow employees to obtain via e-mail. Without a policy to address potentially\n     damaging Internet activity and a screening process to enforce that policy, the\n     agency puts itself at risk for significant Internet-related losses.\n\n     OIG verified that some potentially harmful files can be downloaded via the\n     Internet. For example, OIG downloaded a Visual Basic Script file(11) from a\n     reliable Internet site.(12) OIG sent the same file into NRC\xe2\x80\x99s network e-mail system\n     via the Internet. When sent via e-mail, the file was identified as potentially\n     harmful and removed from the e-mail message. A warning generated by the e-\n     mail system indicated the potentially damaging nature of the file. Allowing such\n     files to be downloaded from Internet sites could allow employees to either\n     intentionally or unintentionally download potentially harmful files.\n\n     Executable files are one of the primary sources for virus propagation.(13) In\n     addition, users downloading unauthorized executable files may expose the\n     agency to issues of legal liability if the software is unlicenced. NRC\xe2\x80\x99s Internet\n     usage policy prohibits the downloading of executable files. However, NRC does\n     not actively restrict such downloads, such as stopping them at the firewall. The\n     following table provides examples of the executable files that NRC employees\n     downloaded from the Internet during the period reviewed.\n\n\n\n\n9\n     While NRC\xe2\x80\x99s connection to the Internet has sufficient capacity for its current load, internal\n     configuration problems are resulting in poor performance during peak usage periods.\n10\n     NRC officials told OIG they run a virus scan on Web-based e-mail and that the firewall system also\n     filters certain types of content such as Java and ActiveX which are potentially malicious.\n11\n     Visual Basic Script (VBS) is a programming language that can invoke any system\n     function--including starting, using and shutting down other applications without user knowledge.\n     VBS programs can be embedded in certain files and provide active content via the Internet.\n12\n     The site was Microsoft. OIG first downloaded the file to a floppy disk and scanned it for harmful\n     content.\n13\n     An executable file is contrasted with a document or data file and is usually executed by\n     double-clicking its icon or a shortcut on the desktop. The vast majority of known viruses infect\n     executable files. Most infected files are transmitted via e-mail.\n\n                                              9\n\x0c                                                                           Use of the Internet at NRC\n\n\n\n              Compaq diagnostic software for WIN95/98\n\n              Flashplayer - enables display of certain animated material\n\n              WebShots screensaver\n\n              Acrobat Reader software for Palm computers\n\n              Microsoft Instant Messenger\n\n              AOL (America Online) Instant Messenger\n\n        AOL Instant Messenger was downloaded a number of times by NRC employees\n        during the period reviewed, an activity prohibited by current policy if the software\n        is unauthorized. Security and consulting firm @Stake has issued a security\n        advisory warning against possible risks associated with AOL Instant Messenger.\n        According to @Stake, a security weakness would allow an attacker, through e-\n        mail or a malicious Web site, to remotely take control of a machine with AOL\n        Instant Messenger installed; the program does not even have to be in use.\n\n\nIV. SUMMARY\n\n        NRC employees are allowed to access information technology, including the\n        Internet for personal purposes when that use is in accord with NRC\xe2\x80\x99s minimal\n        use policy. Other than OCIO monitoring tools, use of the Internet is, for the most\n        part, personal and is affecting system performance. In addition, prohibited\n        activity is occurring. However, NRC does not currently monitor Internet activity.\n\n        Granting employees access to the Internet is an effective business tool. Misuse\n        of the Internet, however, can diminish productivity and increase\n        telecommunications demands. To minimize the misuse of the Internet,\n        management must take actions to increase employee\xe2\x80\x99 awareness of the impact\n        of misuse, monitor use, and block prohibited sites and activity. In addition,\n        management must be proactive in establishing a policy that reflects all uses and\n        their implications to both employees and contractors. Failure to do so leaves the\n        agency vulnerable to threats posed by malicious files and vulnerable software,\n        the download and use of unlicenced software, and the potential legal liability of\n        such activities.\n\n\n\n\n                                          10\n\x0c                                                                    Use of the Internet at NRC\n\n\n\nV. RECOMMENDATIONS\n\n        OIG recommends that the Executive Director for Operations:\n\n        1.     Initiate monitoring of Internet activity.\n\n        2.     Review and clarify MD 2.7 to address Internet activity not currently\n               covered, such as Visual Basic Script file type downloads.\n\n        3.     Revise NRC Management Directives, as appropriate, to ensure NRC\xe2\x80\x99s\n               Internet use policy covers persons other than NRC employees who use\n               NRC computers to access the Internet.\n\n        4.     Restrict prohibited Internet activity using software or other means.\n\n        5.     Issue a Yellow Announcement, or other appropriate communication,\n               advising employees and other affected users of the agency\xe2\x80\x99s revised\n               policy and emphasizing that management will not tolerate prohibited\n               activity.\n\n\nVI. AGENCY COMMENTS\n\n        At an exit conference held on October 3, 2001, NRC officials generally agreed\n        with the report\xe2\x80\x99s findings and recommendations. While agency officials chose\n        not to provide a formal, written response for inclusion in the report, they did\n        provide editorial suggestions, which have been incorporated where appropriate.\n\n\n\n\n                                          11\n\x0c                                   Use of the Internet at NRC\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n              12\n\x0c                                                                               Appendix A\n\nSCOPE AND METHODOLOGY\n\n        The scope of this audit was generally limited to analysis and evaluation of the\n        use of the Internet during eight days in June 2001. To perform this review and\n        build a profile of employee usage, OIG obtained firewall logs from the agency for\n        the period under review. OIG determined the amount of information transferred\n        from each Web site using Microsoft Access and IDEA software. This information\n        transfer (termed activity) indicates the actual number of bytes of information that\n        were transferred to an employee\xe2\x80\x99s computer through the proxy server. Activity\n        reflects the actual burden of Internet use on NRC\xe2\x80\x99s systems. OIG analyzed\n        employee Internet usage by reviewing the 500 Web sites with the most activity.\n        Those sites represented about 75 percent of all Internet activity for the period\n        reviewed.\n\n        OIG trimmed each full Internet address shown in the firewall log to a base\n        address and reviewed the material at that address to evaluate it\xe2\x80\x99s probable use.\n        For example, the Internet address http://www.nrc.gov/NRC/WHATIS/directio.html\n        would be evaluated based on the content at http://www.nrc.gov. Where the\n        base address did not provide sufficient information about the content available at\n        a Web page, OIG looked at the full address(es). The Internet activity reviewed\n        represented use by about 2,950 NRC employees and contractors.\n\n        Based generally on the material at the main web page for each site accessed by\n        employees, OIG determined whether use was business, personal, or a\n        combination of personal and business use. OIG did not determine whether\n        employees were spending inappropriate amounts of time using the Internet for\n        personal reasons because firewall logs do not provide sufficient information to\n        make such a determination.\n\n        OIG reviewed NRC\xe2\x80\x99s current Internet usage policy and the proposed policy from\n        the Federal Chief Information Officer Council. OIG also met with NRC officials\n        in the Offices of the Executive Director for Operations and the Chief Information\n        Officer.\n\n        This audit was conducted from June through August 2001 in accordance with\n        generally accepted Government auditing standards and included a review of\n        management controls related to the objectives of the audit. The major\n        contributors to this report were:\n\n        Corenthis Kelley, Team Leader\n        Robert Moody, Audit Manager\n        Beth Serepca, Audit Manager\n\n\n\n\n                                        13\n\x0c[Page intentionally left blank.]\n\n\n\n\n              14\n\x0c                                   Appendix B\n\nAGENCY DIAGRAM OF NRC\xe2\x80\x99S FIREWALL\n\n\n\n\n                            15\n\x0c"